import clevis-18-106.el9

This commit is contained in:
CentOS Sources 2022-11-15 01:48:49 -05:00 committed by Stepan Oksanichenko
parent a6a3bf0924
commit f8a2cf5a25
4 changed files with 147 additions and 11 deletions

View File

@ -0,0 +1,25 @@
--- clevis-18.ori/src/clevis 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis 2022-06-20 14:29:50.148261656 +0200
@@ -27,6 +27,8 @@
}
cmd=clevis
+input_commands="$cmd $@"
+
while [ $# -gt 0 ]; do
[[ "$1" =~ ^- ]] && break
cmd="$cmd-$1"
@@ -36,8 +38,11 @@
done
exec >&2
-echo
-echo "Command '$cmd' is invalid"
+if [ "$cmd" != "clevis" ];
+then
+ echo
+ echo "Command '$input_commands' is invalid"
+fi
echo
echo "Usage: clevis COMMAND [OPTIONS]"
echo

View File

@ -0,0 +1,54 @@
From da988dee93fd3171d41248fe884c627cdafa563e Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Tue, 2 Aug 2022 09:25:54 -0300
Subject: [PATCH] Improve boot performance by removing key check
---
src/luks/clevis-luks-common-functions.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index f018340..d059aae 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -313,6 +313,7 @@ clevis_luks_check_valid_key_or_keyfile() {
clevis_luks_unlock_device_by_slot() {
local DEV="${1}"
local SLT="${2}"
+ local SKIP_CHECK="${3}"
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -327,8 +328,9 @@ clevis_luks_unlock_device_by_slot() {
|| [ -z "${passphrase}" ]; then
return 1
fi
-
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ if [ -z "${SKIP_CHECK}" ]; then
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ fi
printf '%s' "${passphrase}"
}
@@ -336,6 +338,8 @@ clevis_luks_unlock_device_by_slot() {
# parameter and returns the decoded passphrase.
clevis_luks_unlock_device() {
local DEV="${1}"
+ local SKIP_CHECK="YES"
+
[ -z "${DEV}" ] && return 1
local used_slots
@@ -346,7 +350,7 @@ clevis_luks_unlock_device() {
local slt pt
for slt in ${used_slots}; do
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|| [ -z "${pt}" ]; then
continue
fi
--
2.35.1

View File

@ -0,0 +1,45 @@
From 0654fd3f3fd1ebc080cb1140774120d8f392137b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
<1163635+rmetrich@users.noreply.github.com>
Date: Wed, 1 Dec 2021 09:37:35 -0300
Subject: [PATCH] luks: enable debugging in clevis scripts when rd.debug is set
(#340)
On Fedora/RHEL, the rd.debug kernel command line parameter controls
debugging.
By implementing the functionality inside clevis, troubleshooting will be
greatly eased.
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
---
src/luks/clevis-luks-common-functions.in | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index d059aae..87b370f 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -20,6 +20,21 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+enable_debugging() {
+ # Automatically enable debugging if in initramfs phase and rd.debug
+ if [ -e /usr/lib/dracut-lib.sh ]; then
+ local bashopts=$-
+ # Because dracut is loosely written, disable hardening options temporarily
+ [[ $bashopts != *u* ]] || set +u
+ [[ $bashopts != *e* ]] || set +e
+ . /usr/lib/dracut-lib.sh
+ [[ $bashopts != *u* ]] || set -u
+ [[ $bashopts != *e* ]] || set -e
+ fi
+}
+
+enable_debugging
+
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
# is a numeric value within the specified range.
valid_slot() {
--
2.35.1

View File

@ -1,6 +1,6 @@
Name: clevis
Version: 18
Release: 102%{?dist}
Release: 106%{?dist}
Summary: Automated decryption framework
License: GPLv3+
@ -13,6 +13,9 @@ Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
Patch0005: 0005-tang-dump-url-on-error-communication.patch
Patch0006: 0006-feat-rename-the-test-pin-to-null-pin.patch
Patch0007: 0007-avoid-clevis-invalid-msg.patch
Patch0008: 0008-Improve-boot-performance-by-removing-key-check.patch
Patch0009: 0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
BuildRequires: git-core
BuildRequires: gcc
@ -48,6 +51,7 @@ Requires: jose >= 8
Requires: curl
Requires: jq
Requires(pre): shadow-utils
Requires(post): systemd
Recommends: cracklib-dicts
%description
@ -132,16 +136,8 @@ if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
fi
exit 0
%posttrans
# In case the clevis-luks-askpass is enabled, make sure it's using the
# correct target, which changed in v14.
[ "$(find /etc/systemd/system/ -name "clevis-luks-askpass*")" ] || exit 0
find /etc/systemd/system/ -name "clevis-luks-askpass*" \
| grep -q cryptsetup.target.wants && exit 0
find /etc/systemd/system/ -name "clevis-luks-askpass*" -exec rm {} +
systemctl enable clevis-luks-askpass.path >/dev/null 2>&1 || :
exit 0
%post systemd
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%files
%license COPYING
@ -200,6 +196,22 @@ exit 0
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
* Tue Aug 02 2022 Sergio Correia <scorreia@redhat.com> - 18-106
- Enable debugging in clevis scripts when rd.debug is set
Resolves: rhbz#2022420
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-105
- Start clevis-luks-askpass.path service according to global policy
Resolves: rhbz#2107078
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-104
- Improve boot performance by removing key check
Resolves: rhbz#2099701
* Mon Jun 20 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-103
- Avoid invalid message for clevis command
Resolves: rhbz#2080281
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-102
- Support a null pin
Resolves: rhbz#2028091